BBS水木清华站∶精华区

发信人: vertex (happy hacking), 信区: Linux
标  题: Kernel Level Security -- News from Linux.com. Linuxtoday.com
发信站: BBS 水木清华站 (Fri Jan 28 20:57:29 2000) WWW-POST

This is article from

http://www.linux.com/development/newsitem.phtml?sid=63&aid=6484

New About LIDS and ohters ,:-))..

Kernel Level Security
Wed, 19 Jan 2000 03:54:22pm

As technology gets more and more advanced, the need for better electronic
security becomes higher. Many technology companies have made millions by
providing user-space security programs and Web Appliances. While this
top-down approach to security has served its purpose, there has been a push
towards a more bottom-up solution.

The flexibility of the Linux kernel allows for such an approach. There are
several new kernel patches that can prevent the basic exploits used to breech
security. The Linux Intrusion Detection System (LIDS) is a kernel patch that
can completely secure files on your hard disk. When the LIDS kernel
components are in effect, a specified list of files CANNOT be changed, not
even by root. An instance where this patch would be exceptionally handy is
preventing the new trend of web graffiti. If you don't think web page
defacing is a problem, visit www.2600.com and view the archive of hacked web
sites. The LIDS patch can be used to secure the HTML and CGI scripts used by
your web server. This means that even if a hacker obtains root access, he
cannot edit or remove these files.

Another popular hacking technique is to replace 'ls' command with an altered
version which will not list the extraneous directories the hacker is placed
on your filesystem. One of the more advanced features of LIDS is its ability
to protect the Master Boot Record. Webmotion, Inc. has merged their own
intrusion detection system with the LIDS product. The new features that
Webmotion has added are an alert mechanism for security breach attempts, the
ability to block insertion of modules into the kernel, or to require a
password, and the ability to hide processes in ps and in the /proc
filesystem.

The Secure Linux Patch adds limitations to user-space memory to decrease the
ability of an attacker to perform the more common buffer exploits. Secure
Linux Patch also limits the ability tp place symbolic links and FIFOs in the
/tmp directory. Since the /tmp directory is world readable and writable,
programs could take advantage of this to exploit race conditions. Another
popular exploitation is to redirect the 0, 1, and 2 file descriptors of a
file. These descriptors (standard input, standard output, and standard error
respectively) would then be directed to write to or take input from another
file or FIFO. Secure Linux insures that these file descriptors are opened
properly upon each process execution. This patch can also block certain parts
of the /proc filesystem from being viewed by all users. This keeps potential
hackers from gaining precious user and process information about your server.

The International Kernel Patch allows for the inclusion of strong
cryptography in the Linux Kernel. This, in conjunction with other software,
can allow the inclusion of strong cryptography in almost every aspect of the
kernel. One of the most impressive implementations of this is the EHD patch
to the util-linux set of basic Linux utilities, allowing for encryption of
mounted devices, to prevent hijacking of information. EHD will encrypt a
user's home directory so that only those who know the passphrase can access
his/her files. The encryption is implemented via the International kernel
patch and an encrypted loop device. Combining the two allows a user to mount
and decrypt their home directory across an encypted loop device. This makes
sniffing data virtually impossible.

Another implementation of the International kernel patch is the Crypto IP
Encapsulation (CIPE). This implements the transmission of encrypted UDP
packets between routers. This makes for a quick and dirty sort of Virtual
Private Network. You can use this encrypted correspondance between routers to
connect two secured subnets across an unsecure network in between. One
example would be to use CIPE to connect two corporate networks across an
insecure production network in between.

These tips, in conjunction with a secure network layout, will keep your data
safe from the prying eyes of the internet.

--
※ 来源:·BBS 水木清华站 smth.org·[FROM: 159.226.91.59]